The US government shutdown is affecting more than just physical sites like national parks and monuments. Now, government websites are shutting down as their TLS certificates expire, according to internet security and statistics company Netcraft. In an online post, the company says that more than 80 websites using the .gov domain have been made insecure or inaccessible thanks to expired certificates.
TLS certificates are used by websites communicating over encrypted, HTTPS connections. A certificate is used to sign a website’s public encryption key, which ensures that your communication with that website is private and secure: you know which site you’re talking to, and that nobody else is listening in.
The website’s certificate is itself signed for by a CA (Certificate Authority) that your browser trusts. Site owners have to renew their certificates every so often, to prove that they’re still the legitimate owners of the site’s encryption keys.
If you visit a site with an expired certificate then your browser will notice and issue a strong warning.
The US government isn’t doing anything deemed nonessential under the current shutdown, and that seems to include renewing TLS certificates. As they expire, sites are beginning to throw expired certificate warnings, and in many cases become unavailable altogether.
One example is NASA’s rocket testing site at https://rockettest.nasa.gov, which throws what’s called an interstitial warning. This means that the certificate has expired, but the browser gives you the option to ignore the warning and visit the website anyway at your own risk. Another site taking this approach to its expired certificate is https://ecf-test.ca6.uscourts.gov, a site used by the US Court of Appeals.
Some sites don’t allow visitors to click past certificate warnings at all, thanks to their inclusion on the HSTS (HTTP Strict Transport Security) preload list. This is a list of sites, maintained by most browser vendors, that can only be visited over HTTPS and have prohibited click-throughs should their domains expire.
Many sites often include themselves on the HSTS Preload list as a failsafe. The argument is that it’s better to block visits altogether in the event of an expired certificate rather than to risk having your communications with the site being intercepted or diverted.
For example, the certificate for the Department of Justice website https://ows2.usdoj.gov expired on 5 January, meaning that it throws a certificate warning when people try to visit it. Because it includes itself on the HSTS preload list, visitors don’t get the chance to click past the warning and see the site.
How bad could things get for the US government’s web presence? It’s possible that more government site certificates will expire if things continue, but some might be set to auto-renew, meaning that their certificates are updated before they expire.
Could things get worse as government domains themselves – which also have to be renewed – expire? Perhaps, although it’s worth noting that .gov domains can only be registered by authorized departments via the US Government’s DotGov organization. This makes it far less likely that some online crook somewhere could begin buying them and impersonating government departments online.
Having said that, manipulating search results is likely to be a lot easier for attackers if government websites shut down completely. It will be easier to increase the ranking for a fake site with the same name as a government site if search engines can no longer reach the real site.
The other worry facing government website users is that they may stay available, but not be updated. While still technically accessible online, several sites have explained that they will not be maintained during the shutdown: https://www.data.gov, https://www.selectusa.gov, https://www.nist.gov, and https://www.iat.gov are among them.
The takeaway? Be wary when visiting US government sites that display a certificate error. Just because a certificate warning allows you to click through to a site doesn’t mean that you should. Better safe than sorry.
Laurence Marks
Not just informational government websites. Small US non-profits (annual receipts < $50K) must annually file a Form 990-N "e-Postcard" to maintain their status with the Internal Revenue Service. This form can only be filed online; there is no paper form. The filing site is [URL removed]. It gives this response: "This service will be unavailable due to system maintenance. We apologize for any inconvenience. If more information is available, you can find it by selecting the service from the Tools page."
cdoggyd
I wonder if this will invite lawsuits due to public information being unavailable.
Claude
Better planning should have taken care of expiring certificates. Also, unless VPN access has been taken away, there is nothing keeping the “public servants” who maintain this infrastructure from logging in and taking care of the issues. After all, they are guaranteed to be paid whenever the 13% of the government that is shut down reopens.
Brian T. Nakamoto
I agree that there could be better planning, but it’s not fair to expect furloughed employees to fix problems during the shutdown when doing so could be against the law: “Unless otherwise authorized by law, an agency may not accept the voluntary services of an employee. (See 31 U.S.C. 1342.)” U.S. Office of Personnel Management guidance also suggested (before it was noticed by the press) that furloughed employees could do odd jobs to make ends meet while they aren’t receiving a paycheck.
Paul
Working during this shutdown is illegal. I just heard an interview today with a park ranger where people were being sent back home and being told it was not possible for them to volunteer to work during the shutdown. (Not expressing an opinion on whether that makes any sense. :) )
James Beckett (@hackery)
Better planning, true – but purchasing and payments in most large organisations aren’t a matter of waving a credit card at someone, but go through some involved process of supplier management, ordering and multiple approvals, via some dinosaur of a piece of purchase-order software, which itself could have been deliberately suspended because of a shutdown. And the VPN? That infrastructure also probably relies on having a valid certificate – and if they’re ignoring certificate warnings when connecting into the control systems of critical government infrastructure, they could be inviting some rather unhappy days.
Logios Diatrypo
Some GOV links were, “Turned off”. This was not just a Banner Page thing. Is it really that hard to leave the site running or are the sticking it to someone? I was doing my bachelor’s capstone paper on Cyber Incident Response (due 12/31). Links to the NIST standards were down (thankfully I saved a local PDF). Anyway, I completed my last class and will graduate on time in March.
Is it best practice to wait so late to renew these certs? [URL removed]
Anonymous
Anyone paying attention would have noticed this last week.
Bryan
Dunno about you, but when I need to handle something “next week” and half a dozen “finish this yesterday” projects crash through my office, I might defer that specific something to next week.
Not a civil servant, but if my boss suddenly told me don’t come to work tomorrow (without pay), the result would be the same.
Aron M
US government was shutdown for two weeks only. As someone who was responsible for updating SSL certificates for most of my professional career, I can’t recall case where we left renewal to last 2 weeks. Notifications usually start to appear 90 days before the certificate expires. This looks to me more like a planning issue.
Lessie
The only conversation we should be discussing right now is how the government shutdown affects the overall security of our nation. We must look real vulnerable to Russia right now. A nation divided. Come on America!!
James Beckett (@hackery)
“If you visit a site with an expired certificate then your browser will notice and issue a strong warning.”
Because it’s the only thing assuring you that you’re securely connected to the site you think you are. Clicking past the warning exposes you to shenanigans like DNS spoofing, landing you on an attacker’s replica site to enter your government credentials. How much “shutdown” does it take before someone starts targeting these services?